Data Protection update - May 2018
Welcome to the May 2018 edition of our Data Protection bulletin, our monthly update on key developments in data protection law.
- The GDPR
- New Data Protection Act 2018
- Final ICO guidance
- Fees payable to the ICO under the new regime
- Framework for UK-EU partnership concerning data protection
- GDPR complaints issued against Facebook, Google, Instagram and WhatsApp
- National Cyber Security Centre guidance on how to address increased cyber threats
- ICO and NCSC publish GDPR security outcomes
- The UK's new network and information security regime
- SCL Elections Limited ordered to comply with SAR
- IAG Nationwide Ltd fined £100,000
- Crown Prosecution Service fined £325,000
- The University of Greenwich fined £120,000
It is fair to say, it has been hard to escape the reaches of the GDPR over the past few weeks. We have encountered in-depth discussions relating to the GDPR, not just in the office but in the most unexpected places from yoga classes to local cricket club AGMs. You would be forgiven for wanting to put it all behind you now that it is one week since the implementation date, however we hope you will allow us to clear up a few uncertainties and misconceptions.
Perhaps fearing the increased fines at stake under the GDPR, many companies have reached out to the individuals on their marketing lists to request that they renew their consent for marketing communications and data processing. Many of these requests were unnecessary and some were in fact unlawful.
Consent is just one of six legal grounds that can be relied on under the GDPR. The threshold for demonstrating valid consent is now higher under the GDPR than it was under the previous legislation; it must be unambiguous and involve a clear affirmative indication of the data subject's intentions. Consent also needs to be obtained for each specific processing operation and it cannot be contained in general terms and conditions or as a precondition for signing up to a service. That said, if you are relying on consent under the GDPR, this does not necessarily mean you need to ask for new consent. If consent was collected previously, and meets the 'GDPR standard' of consent, there is no need to request fresh consent. Most notably, consent only provided via a pre-ticked box will not meet this standard.
However, in the absence of consent there are five other legal grounds a company can cite for continuing to process data, the most relevant being legitimate interests for the purposes of sending marketing communications by email.
Email marketing is actually covered by a separate piece of existing legislation, the Privacy and Electronic Communications Regulations ("PECR"). Broadly speaking, under PECR you can carry out unsolicited direct marketing without consent if an individual has bought a product or service previously (or you have engaged in some form of negotiation or express communication between a potential customer and a service provider, or an individual has simply expressed interest in purchasing a company's products or services by asking for more information or requesting a quotation for services) and the subsequent marketing relates to similar goods and services (this is known as the "soft-opt in" exemption). For GDPR purposes, this exemption can be justified as a legitimate interest for processing personal data, so it is not necessary to rely on consent as your lawful basis for processing. Therefore for most businesses, provided that each marketing communication includes an "unsubscribe" option, there is unlikely to have been any real need to contact customers other than as a proactive way of updating them of revised privacy terms. Additionally, if a business emails its marketing list saying that it needs their consent, and valid consent is then not provided, it risks forfeiting its ability to rely on alternative legal grounds for processing meaning that it can no longer contact that individual.
However, if you do not have the requisite legal grounds to contact a data subject (e.g. you do not know how the data was acquired, the data was acquired through a bought list or the data subjects have already unsubscribed), and you contact that data subject to request consent, that act in itself could be a breach of PECR and could open up your business to the risk of penalties. If you are in any doubt about where the data in your databases has come from, we recommend taking a cautionary approach to contacting your data subjects and seeking legal advice in any event.
Under the GDPR, the national data protection authorities (such as the ICO in the UK) have new powers to issue sizable fines of up to 4% of global business turnover or €20 million, whichever is the highest. These potential penalties are significantly more than authorities have been able to issue up until now.
Although businesses are understandably panicking about not being compliant by 25 May 2018, the Information Commissioner has openly accepted that most businesses will be on a "journey of compliance" and that the ICO will continue to take a proportionate and pragmatic approach to enforcement action and issuing fines. Additionally, while the maximum fines are substantial, these will only be issued for the most "serious" data breaches involving high-impact, intentional, wilful, neglectful or repeated breaches. When assessing whether or not to impose a penalty, and if so how much, the ICO will take into account the number of people affected, any damage to the data subjects, the negligent or intentional nature of the infringement, and action taken by the data controller to mitigate the damage.
That said, the ICO's other powers under the New DPA have also been enhanced. The New DPA (see more detail below) provides the ICO with the right to issue information or assessment notices, require urgent compliance within 24 hours, and inspect and assess compliance without notice.
Additionally, it is worth noting that the different national data protection authorities across Europe may implement their new powers under the GDPR in different ways with some authorities taking a harder line on enforcement than others.
The Data Protection Act 2018 ("New DPA") came into force on 25 May 2018. It repeals and replaces the previous Data Protection Act 1998 and ensures that the standards set out in the GDPR have effect in the UK. The New DPA also ensures that the UK and EU data protection regimes are aligned post-Brexit and the UK will continue to be able to exchange personal data freely with the EU. Under the GDPR, EU countries have the freedom to apply certain exemptions or provide for their own national rules in relation to certain types of personal data processing. In this regard, the New DPA contains the following national derogations:
- Special rules regarding the processing of personal data for journalistic purposes and in the areas of employment, health and research;
- ICO's scope to exercise their powers under the GDPR e.g.:
- the ability to serve 'assessment notices' on businesses that would give them the right to enter business premises, access documents, equipment and other material, observe personal data processing and interview staff;
- the duty to produce a number of new codes of practice in areas such as data sharing, direct marketing, and the processing of personal data by journalists;
- A number of new data protection offences including:
- knowingly or recklessly obtaining or disclosing personal data without the consent of the data controller, procuring such disclosure, or retaining the data obtained without consent;
- selling, or offering to sell, personal data knowingly or recklessly obtained or disclosed;
- taking steps, knowingly or recklessly, to re-identify information that has been "de-identified" (although one of the defences that could be raised is where that action can be justified in the public interest).
The UK government has stated that the New DPA "makes our data protection laws fit for the digital age in which an ever increasing amount of data is being processed; empowers people to take control of their data; supports UK businesses and organisations through the change; ensure[s] that the UK is prepared for the future after we have left the EU".
This month the ICO has issued its final detailed guidance on consent following the Article 29 Working Party guidance that was published last month (and was covered in our April issue of the bulletin which is available here). In summary consent needs to be specific and informed and it must specifically cover the following:
- The controller's identity. This means you need to identify yourself, and also name any third party controllers who will be relying on the consent. If you buy in 'consented' data, that consent is only valid for your processing if you were specifically identified.
- The purposes of the processing: separate consent will be needed for different processing operations wherever appropriate – so you need to give granular options to allow data subjects to consent separately to separate activities, unless this would be unduly disruptive or confusing.
- The processing activities: again, where possible you should provide granular consent options for each separate type of processing, unless those activities are clearly interdependent – but as a minimum you must specifically cover all processing activities.
- The right to withdraw consent at any time and a simple means to do so.
The ICO has also published a number of other useful guidance documents this month including detail on Data Protection Impact Assessments, the right to be informed, and determining what is personal data.
The new ICO guidance can be found here.
The Government, which has a statutory duty to ensure the ICO is adequately funded, has proposed a new funding structure, which means it will still be a legal requirement for data controllers to pay a data protection fee to the ICO after 25 May 2018 (despite the fact that registration with the ICO is no longer a statutory requirement). The payment obligation is under a separate law called the Digital Economy Act 2017, together with the Data Protection (Charges and Information) Regulations 2018, which also came into effect on 25 May 2018 to coincide with the GDPR.
The fees are calculated as follows:
- Tier 1 – Micro Organisations
Maximum turnover of £632,000 or no more than ten members of staff Fee: £40 (or £35 if paid by direct debit)
- Tier 2 – SMEs
Maximum turnover of £36 million or no more than 250 members of staff Fee: £60
- Tier 3 – Large Organisations
Those not meeting the criteria of Tiers 1 or 2
If a controller has registered with the ICO under the old rules in the past year, the new payment obligations will only apply once that existing annual notification has expired. Reminders will be sent to data controllers in the same manner as the previous registration procedure. Details of controllers who have paid the new fee will be kept in an ICO register.
The maximum penalty for getting it wrong is a £4,350 fine.
To pay the relevant fee, follow this link.
On 23 May 2018, the Government published a presentation on a proposed framework for the UK-EU partnership in relation to data protection in a post-Brexit scenario where the UK is no longer part of the European Economic Area ("EEA").
The presentation was produced by the UK negotiating team for discussion with the EU and focuses on the UK's proposals for the free flow of personal data between the UK and the EU.
The presentation proposed a new agreement between the EU and the UK building on standard adequacy in order to allow the continued flow of personal data between the UK and the EU. The agreement is intended to:
- Reflect the "unique degree of convergence between the EU and UK on data protection".
- Provide a high standard of data protection and also include dispute resolution and termination provisions.
- Ensure that UK businesses and consumers are effectively represented under the "one stop shop" mechanism.
The Government stated that a legally-binding agreement would introduce strong privacy protections for EU and UK citizens, greater certainty and the improvement of joined-up regulatory enforcement of data protection standards.
The EU and UK will agree on the future framework alongside the Brexit Withdrawal Agreement later in 2018.
Until the UK leaves the EEA, at which point an alternative data transfer mechanism will be required to demonstrate adequacy, the existing EC commission model clauses will still apply for transfers outside of the EEA (even though they were prepared under the 1998 Data Protection Act).
Max Schrems, the notorious privacy campaigner, and his non-profit organisation None Of Your Business ("NOYB") has issued complaints against Facebook, Google, Instagram and WhatsApp within hours of the GDPR coming into force. Mr Schrems previously filed a complaint against Facebook with the Data Protection Commissioner in 2013 which ultimately led to the Safe Harbour agreement (the mechanism used by thousands of companies to transfer data to the US) being declared invalid by the European courts.
In its four complaints, NYOB argues that the named companies are in breach of GDPR because they have adopted a "take it or leave it approach". The activist group says customers are required to agree to having their data collected, shared and used for targeted advertising, or delete their accounts and they argue that this falls foul of the new rules because forcing people to accept wide-ranging data collection in exchange for using a service is prohibited under GDPR.
Analysts and regulators had expected complaints to be filed shortly after the introduction of the GDPR, as organisations and privacy advocates argue over how the law should be interpreted.
The NCSC has published guidance which outlines the steps that businesses can take to defend themselves against cyber attacks where they are under increased risk of an attack. The guidance recommends:
- Undertaking a readiness review e.g. identifying all available sources of logging, where the logs are stored, how long the logs are retained, and who has access to them;
- Signing up to the Cyber Security Information Sharing Partnership, a joint industry and government initiative set up to exchange cyber threat information in real time;
- Improving defences using the NCSC's 10 Step Guide to Cyber Security;
- Reviewing security processes and keeping a list of authorised applications;
- Improving detection and response capabilities e.g. ensuring that systems are systematically backed up and that they can be recovered from archived data; and
- Reporting any incidents involving significant loss of data, system availability or system control, and any instances of unauthorised access to systems or the presence of malicious software to the NCSC 24/7 Incident Management team.
The full guidance can be found here.
On 18 May 2018, the NCSC and the ICO published a set of technical security outcomes considered to represent "appropriate measures" under Article 5(1)(f) of the GDPR.
The guidance sets out measures that are deemed appropriate to protect the security of personal data and it confirms that what is appropriate will depend on the relevant circumstances, the processing being undertaken and the risks associated with it.
It is directed at industry, local government and central government departments as well as those involved in their supply chains. The outcomes-based approach adopted in the guidance enables scaling to any size or complexity of organisation or data processing operation.
The guidance is split into four main aims, each of which is dealt with in further detail. These are as follows:
- managing security risk;
- protecting personal data against cyber-attack;
- detecting security events; and
- minimising impact of data breaches.
It also sets out the steps that should be taken following a personal data breach.
The detail provided in the guidance will help organisations to understand the security requirements set out in the GDPR and how best to comply with them. The full guidance can be found here.
On 10 May 2018, the new Network and Information Systems Regulations 2018 came into force. Their implementation has been rather overshadowed by the GDPR, however the new regulations will apply to many organisations in sectors such as banking, energy, health and transport and there are high fines at stake for non-compliance. Our colleagues discuss these new regulations and what they mean for the UK in the May edition of "COT's top four commercial issues" which can be found here.
The ICO has served a legal notice on SCL Elections Ltd ordering it give an academic all the personal information the company holds about him. The Enforcement Notice gives the London-based data analytics company (and the British Parent of Cambridge Analytica) 30 days to comply with a subject access request ("SAR") submitted by Professor David Carroll under the terms of the Data Protection Act 1998. Failure to do so is a criminal offence, punishable in the courts by an unlimited fine.
IAG Nationwide Ltd has been fined £100,000 after making more than 69,000 unsolicited calls for direct marketing purposes to subscribers who had registered with the Telephone Preference Service ("TPS") in contravention of PECR. Recipients described the calls as "frightening", "threatening" and "aggressive". IAG also failed to correctly identify itself in the calls, did not give people the chance to opt-out of receiving them and provided misleading information about the nature of the call.
The Crown Prosecution Service ("CPS") has been fined £325,000 by the ICO after it lost unencrypted DVDs containing recordings of police interviews. This is the second penalty imposed on the CPS following the loss of sensitive video recordings. The DVDs contained the most intimate sensitive details of the victims, as well as the sensitive personal data of the perpetrator, and some identifying information about other parties. The DVDs were sent in November 2016, but it was not discovered that they were lost until December that year. The CPS notified the victims in March 2017, and reported the loss to the ICO the following month. The ICO ruled that the CPS was negligent when it failed to ensure the videos were kept safe.
The University of Greenwich has been fined £120,000 by the Information Commissioner following a "serious" security breach involving the personal data of nearly 20,000 people. The personal data included contact details of students, staff and alumni such as names, addresses and telephone numbers. It also included sensitive data such as information on extenuating circumstances, details of learning difficulties and staff sickness records. The information was posted on a "microsite" set up for a training conference which was never taken down or secured and in 2016 multiple attackers exploited the vulnerability of the site allowing them to access other areas of the web server. The ICO found that the University did not have in place appropriate technical and organisational measures for ensuring that its systems could not be accessed by attackers.